Porn on mobile spreads with new tricks

SEATTLE - Cybercriminals are stepping up the spread of data-stealing programs via pornographic content optimized for viewing on smartphones and touch tablets.

What's more, free apps and mobile ads are being pervasively manipulated by scammers bent on redirecting your clicks to weblinks you had no intention of visiting. Known as click-jackers, these scammers get paid by an advertiser for each such click.

"Mobile threats are following the money," says Kurt Roemer, chief security strategist at Citrix Systems. "With mobile becoming the centerpiece of digital life, attackers are flocking to this target-rich environment in new and innovative ways."

Mobile attacks, for the moment, are largely focused on handsets and tablets that use Google's open source code Android operating system, and fall mostly into the category of nuisances, says Sasi Murthy, Blue Coat's director of product marketing.

The cybercriminals spreading corrupted links, via mobile porn content, appear to be after your phone number and list of contacts to sell to spammers, for instance. This ultimately can lead to your friends receiving more spam on their mobile devices, but nothing more serious than that.

"It's a mistake to trust that apps you download to your mobile device are inherently trustworthy," says Jamz Yaneza, Trend Micro's threat research manager. "Folks are having to learn the hard way that that's not necessarily true."

In fact, much of the malicious activity in the mobile space currently revolves around either stealing address book contacts and profile information, or tricking users into clicking to certain weblinks to generate advertising payments to the scammer.

In the end, "someone other than the legitimate developer is compensated for ad impressions," says Kevin Mahaffey, founder and chief technology officer of Lookout Mobile Security.

In the current mobile environment, consumers ought to exercise healthy skepticism around any offer that seems too good to be true, says Mark Risher, CEO of data integrity firm Impermium.

"On small screens it can be hard to see the signs of a scam, so when in doubt, try viewing the Web page for that app from a full-sized laptop and look for the tell-tale signs," Risher advises.

Be suspicious of sloppy writing or descriptions and any security warnings that appear in your full PC Web browser, he says.

No one in tech security or law enforcement expects mobile threats to remain relatively benign for long. "Any mobile device that's accessing the Web and accessing Web downloads is, in fact, exposed," Murthy says. "And that presents a very real and immediate danger to mobile users."

One big security hole cybercriminals are expected to increasingly focus on is the fact that the operating systems of mobile devices are cumbersome to upgrade. A recent survey by security firm Rapid7 revealed that 67% of devices using the revered Apple iOS platform, which powers iPhones and iPads, are running without the latest feature upgrades and security patches.

"Mobile devices are typically required to be updated by employees and patches can't be pushed by organizations," says Giri Sreenivas, mobile vice president at Rapid7. "Because of this, there is a high percentage of devices running out-of-date firmware."

Android devices are difficult to upgrade because neither the carrier nor the handset maker have much of a financial incentive to push out security patches in a timely manner, says Chris Soghoian, principal technologist at the American Civil Liberties Union.